There's synchronicity afoot in the electric utility cyber security space.
Last week, I reported here that U.S. Senator Richard Burr commented that he was "more encouraged to slow down the implementation of smart grid technology until we learn the things that we need to learn with a great deal of confidence." This remark came at the end of the U.S. Senate Committee on Energy and Natural Resources full committee hearing on cyber security of the bulk power system and electric infrastructure.
Over the course of the week, many in the industry opted to disagree with Senator Burr (who has, coincidentally, since resigned from the Senate Energy Committee in order to accept a much-sought-after appointment on the Senate Finance Committee).
During the same hearing, David Owens, executive vice president in charge of the Edison Electric Institute's business operations group, spoke passionately about the need for an ongoing dialogue involving industry and government with regard to cyber security, and the difference between (and equal importance of) "horizontal" and "vertical" communication. This was a welcome change from earlier testimony from participants that seemed to focus more on territorial challenges than workable solution involving all players.
"All of you know that cyber security is not a check-the box exercise. You can't say, 'if we do these 10 things, we're not going to have a cyber security problem,'" he told the committee. "Instead, cyber security requires an evolutionary process and an ongoing dialogue involving industry and government.
"Now, the threats that we face daily, and the mechanisms for identifying them, also vary. Sometimes the government will become aware of a threat, while other times it will be the industry or individual utilities that will become aware of this, or outside security firms or academia," he added. "The point is that there is no perfect process for indentifying what tomorrow's threats are, nor how a creative hacker might exploit vulnerabilities. A better approach, in my view, is fostering coordination and dialogues, both horizontally and vertically, between industry and government."
Owens' description of vertical communications is where I see government, to date, getting less-than-passing marks, quite frankly. And this is where cyber security efforts need to be firmly grounded, in real time.
"Vertical communications is the government communicating with the industry and vice versa," he told the Senate committee. "Now, we are not in the business in the utility industry of identifying threats, but the government is, and needs to coordinate very clearly with industry. On the other hand, we're pretty good at operating our systems and providing reliable electric service, and understanding how to address potential vulnerabilities.
"So I believe there's a shared responsibility," Owens continued. "There's a responsibility of government and there's a responsibility of industry to work together. If we're working together, then we can provide greater security over the overall system."
Horizontal communication, on the other hand, we're pretty good at already, Owens noted: Now, the electric industry, the private sector, we're working with a lot of other utilities that serve our nation...because we all have a commonality of keeping the lights on. The entire electric sector is working very closely together. That's an example of horizonal communication."
Interdependencies, such as with the water industry or the telecommunications industry, he said, were also important, and another example of horizontal communication.
"Now no single industry, in my view, can be considered secure unless we're engaged in coordination across those industry sectors," Owens said.
The same can be said, Owens pointed out, with horizontal communication within government departments. "I'm perfectly sure that DOE and the FERC communicate regularly. One agency probably has substantial intelligence about what's occurring in the electric network and in the other vital facilities of our nation. Whereas the other agency may have the responsibility of mandating reliability standards. But it's critically important that those agencies work together," he said. "So, in addressing cyber security, my view is that the government needs to consider how they engage in horizontal communications, as well."
So, how, as an industry, do we go about improving both horizontal and vertical communication with regard to cyber security? Yesterday, the National Rural Electric Cooperative Association (NRECA) released to the electric utility industry and other stakeholders its "Guide to Developing a Cyber Security and Risk Mitigation Plan." The guide, risk mitigation checklist and step-by-step plan template are already in use at the 23 electricity co-ops participating in the Cooperative Research Network's regional smart grid demonstration project, and Intelligent Utility Insights profiles the reasoning and key tools here.
Continue the conversation! Designed to create community and stimulate dialogue, Knowledge2011 Utility Executive Summit gathers senior leaders in Customer Service, Operations, and Information Technology from top investor-owned, municipally owned and cooperatively owned electric utilities for two days of interaction and collaboration, addressing the pressing topics most important to utility executives. This and other topics will be explored further. To learn more or to request an invitation, visit www.KnowledgeSummits.com
Editor-in-chief, Intelligent Utility magazine